Playing in the Digital Highway: Improperly Secured Data Puts Students At Risk

When you think of cybersecurity, protecting credit card numbers or government files might come to mind, but your students’ PII (Personally Identifying Information) is a target for hackers, too.

Young people make great targets because they’re a clean slate. They’re not using their identities to get a mortgage or credit card or anything, so no one is checking up on them. They also have a tremendous amount of personal information being shared – including medical, mental health, contact information, and performance evaluations in academia and sports or the arts – and it’s being saved in various, often poorly secured, locations. And finally, but perhaps of the highest utility to hackers, children are great targets because people will do ANYTHING to protect them.

It CAN Happen Here

If you’re thinking to yourself that you live in a quiet small town with no crime, no draw for a terrorist plot, think again. Yours might be the ideal spot to stage a crime like this. Look to a small Montana school district Columbia Falls in Flathead County. Home to nearly 16,000 students, the district’s parents and administrators received text messages and a seven-page letter containing threats, repeated references to Sandy Hook, creepy quotes, and claiming that the FBI could not help anyone.

Hackers generally don’t target specific cities, but instead are constantly searching for vulnerabilities wherever they may occur, security experts said. “The trick about ransomware right now is that it’s typically not a targeted, focused attack,” said Christopher Krebs, a senior official at the Department of Homeland Security, at a recent mayors’ conference in Boston. “You’re not special.” Source: WSJ

This came seemingly from nowhere, but as the extortionists explained, the choice was deliberate: the district had vulnerabilities that made it easy to gain access to confidential files. With all of the other concerns that educators have, it can be easy to overlook securing digital information properly. You may not even understand the threats that exist, and it’s hard to find qualified Information Technology professionals willing to stick it out for the comparatively low salaries school districts offer.

2017 Cyber Terrorism Attacks

A recent FBI briefing regarding attacks across the country at multiple school districts describes a terrifying ordeal: people all over the district awoke to find text messages informing them that their students’ information was up for ransom. Hackers had taken advantage of vulnerabilities in web-facing district servers to extract student PII (Personally Identifying Information). Victims received physical threats, were told that this information would be used for bad ends unless the district paid a ransom.

The extracted Information included:

Parent, guardian, and student phone numbers

Education plans

Homework assignments

Medical records

Counselor reports

Grades or other testing records

The hackers also demanded their ransoms in cryptocurrency, making it hard for local authorities to follow the trail (for now).

How Is PII Being Used?

PII can be used to forge false online identities, to launder money or get bad actors into the country. And once the information is out there, how do you safely get the genie back into the bottle? A child’s entire future (financial, academic) or even their physical safety is under threat if their identifying information ends up sold to bad actors. When you hold transcripts, grades, and achievements for ransom, you’re waving the flag at a future that’s quickly disappearing into the distance. Prevention is best. So where are your areas of vulnerability, and how can you shore them up?

Common Vulnerabilities

Phishing Scams

These are communications from supposedly friendly senders meant to entice you to open an email, text message, or oother messages or to click on a link. A “social engineering” hack, phishing attacks are meant to gather confidential or personal information. Make sure graphics look normal, hover over links to read their description, and check for any suspicious formatting or wording.

Phishing attacks can also come by phone. Do not give confidential information over the phone to someone who has called you first. Instead, agree to call the company back from the number that you have in your records. Don’t just click “ok” on an unexpected pop-up.

Non-school devices – your network should be configured to recognize new devices.

Educational apps that store student identifying information

Carefully read through privacy and security information from new software or EdTech websites.

Improperly shared or stored PII

Make sure everything is encrypted and password-protected.

Ignorant or non-compliant personnel – not updating software, not checking edtech vendors out, not understanding what looks or is suspicious, not reporting suspicious activities.

Research privacy acts like FERPA, COPPA, and the PPRA as well as any state laws regarding privacy and educate staff and faculty so that everyone understands what is expected of educators and vendors of EdTech services.

Do a survey of teachers, librarians and IT staff to see what software is being used in the school, and what information is being collected. It might be helpful to see all in one reports on how much information is being collected, and how many different services are collecting it.

Bonus: if anything happens, you know where leaks may have come from.

If parents want more specific information about these services, you’ll be able to tell them what services or websites their child’s teachers use.

Review the privacy policies of EdTech companies that are being used in your district.

Check for vulnerabilities in your data storage procedures.

Are you updating software when you’re supposed to?

Does everyone have their own passwords to get into high-value/confidential data storage locations?

If you have evidence your child’s data may have been compromised, or if you have experienced any of the Internet crimes described in this PSA, please file a complaint with the Internet Crime Complaint Center at www.ic3.gov.